[c-nsp] IPSEC VPN

Michael K. Smith - Adhost mksmith at adhost.com
Mon Aug 10 15:30:54 EDT 2009


Hi Mohammad:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Mohammad Khalil
> Sent: Monday, August 10, 2009 12:21 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] IPSEC VPN
> 
> 
> hi
> i configured the below on GNS3 simulator
> 
> Router(config)#crypto isakmp policy 1
> 
> Router(config-isakmp)#authentication pre-share
> Router(config)#crypto isakmp key VPNKEY address x.x.x.x
> 
> Router(config)#access-list extended LIST
> 
> Router(config-list)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0
> 0.0.0.255
> 
> Router(config)#crypto ipsec transform-set SET
> 
> Router(config)#crypto map MAP 10 ipsec-isakmp
> 
> Router(config-crypto-map)#set peer x.x.x.x
> 
> Router(config-crypto-map)#set transform-set SET
> 
> Router(config-crypto-map)#match address LIST
> 
> Router(config)#interface f0/0
> 
> Router(config-if)#crypto map MAP
> 
> and im trying to ping 192.168.2.1 source 192.168.1.1 (loopbacks) but
im
> not able to , and the show crypto isakmp sa produces empty o/p
> 
> am i missing something here ??
> 
nat (inside) 0 access-list LIST

If the .1 address in both subnets are the firewall IP addresses you
won't be able to ping them.  Instead, try pinging through them to a host
on either side.

Finally, "debug crypto isakmp" and "debug crypto ipsec" are your friend,
along with a "term mon" :-)

Regards,

Mike


More information about the cisco-nsp mailing list